Ethereal and NMap

This is the first in a series of excerpts from chapter 7 of Incident Response, published in August 2001 by O'Reilly. This excerpt covers two tools used by hackers to detect weaknesses in your network. You can use these tools to detect these same weaknesses before hackers get a chance to.

nmap

nmap, the Network Mapper, is both free software and a superb low-level network port scanner. Although not a vulnerability scanner per se, the value of nmap's output cannot be overrated. This is a must-have in any incident response team's bag of tricks, and can usually spot things that other commercial products might overlook. See www.insecure.org/nmap for more information from the author, Fyodor.

More on nmap

Fyodor describes nmap as follows:

"nmap is a utility for port scanning large networks, although it works fine for single hosts. The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). This is the Perl slogan, but it is equally applicable to scanners. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning mode. And you don't want to have 10 different scanners around, all with different interfaces and capabilities. Thus I incorporated virtually every scanning technique I know into nmap. Specifically, nmap supports:

nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, and output to machine parseable or human readable log files."

His description is accurate. nmap's usefulness during incident response operations is enormous. It can be used to rapidly scan a series of hosts for possible back door or malicious network-level software, for example, and is probably the fastest network scanner that you'll find anywhere. What's more, the individual scans can be chosen and tailored to a great degree by means of its command-line parameters. Admittedly, it takes some time to learn all of the command-line options, but it is time well spent. Further, nmap comes with a rather complete set of documentation by way of a Unix standard manpage.

Graphic frontends to nmap do exist and are readily available. Several pointers to these frontends are available on the previously mentioned web page. Frankly, for the purpose of incident response support, we've found the command-line interface to be the most flexible and powerful, once learned. Following are three screenshot examples of nmap's output. Figure 1 is in an X command-line session on a KDE 2 Linux desktop, and Figure 2 and Figure 3 are examples of two of the different GUI frontends to nmap.

Figure 1. Example of textual output from nmap.

Figure 2. Example nmapFE output.

Figure 3. Example KMAP output.

Ethereal

Ethereal (pronounced ethee-real) is a feature-rich protocol analyzer that runs on a variety of Unix and Unix-like operating systems including Linux, BSD, Solaris, AIX, HPUX, and Irix. It is open source software released under the GNU General Public License. Further, as of this writing, it is still officially considered beta software. See Figure 4 for sample Ethereal output.

Figure 4. Example Ethereal output

That's good news as well as bad news. First, it is freely available, so the cost of acquiring it isn't a factor for those cash-strapped teams out there. It runs on Unix and Linux, meaning it is well suited for analyzing large amounts of incident data. Also, several of the Unix (and similar) platforms supported are freely available, which further reduces the cost of an analysis system. Due at least in part to being open source, Ethereal's list of features reads like a "Wouldn't it be nice to have this?" list, since it is constantly being updated and upgraded. In fact, among the project's original stated design goals is to "create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers." The fact that it is still officially beta software, however, could diminish its usefulness in a courtroom situation.

Some of the more useful features from our standpoint include:

Data support

Ethereal can read a huge number of different datafile formats including Sniffer, TCPdump, Snoop, Cisco's IDS, and several others. The input data be GZIP-compressed, and Ethereal transparently uncompresses it. Additionally, it can write its output in plain ASCII text as well as PostScript format suitable for printing.

Ethereal can run either as a graphic user interface (GUI) or as a text mode interface. Having the text mode interface as a fallback can be tremendously useful, especially in running multiple Ethereal probes in different locations, as it can be very easy to connect to each probe remotely. Care should be taken not to transmit incident response data over a network that is under investigation. Remember, these tools need to be stealthy!

TCP stream reconstruction

This is one of the features that sets Ethereal apart from many protocol analyzers. Ethereal can reconstruct a TCP data stream such that all of the packets are in logical order, as opposed to the order that they were sent and received through the network itself. This feature can save the analyst a great deal of time, particularly since she is dealing with raw data that can become overwhelming if not easily ordered in sequence.